Anantasoft Gazelle CMS version 1.0 suffers from a persistent cross site scripting vulnerability.
237230e8444c4dc90ee11c4aefd55441f80d751abd272c8cce21ae3c8a932068
____/\______.__ ________ _________ _____ ____/\__
____/\__ _____ ____/\__ ____/\______
/ / /_/_ | | \_____ \ ___\______ \ / ___ \/ / /_// /
/_/ / ___ \/ / /_// / /_/_ | ____
\__/ / \ | | | _(__ < / \ / / / / ._\ \__/ / \ \__/ / \
/ / ._\ \__/ / \ \__/ / \ | |/ \
/ / / \| | |__/ \ | \/ / < \_____/ / / \/ / /
< \_____/ / / \/ / / \| | | \
/_/ /__ /|___|____/______ /___| /____/ \_____\/_/ /__ /_/ /__
/\_____\/_/ /__ /_/ /__ /|___|___| /
\/ \/ \/ \/ \/ \/ \/ \/
\/ \/ \/ \/ \/
------------------------------------------------------------------------------
-------------------------------------------------------------------
TITLE: Anantasoft Gazelle CMS Admin Panel Multiple stored XSS
Vendor: Anantasoft Gaselle CMS
Author: $1l3n7 @$$@$$17
Email: sil3ntb0t@gmail.com
Download Link: http://www.anantasoft.com/index.php?Gazelle%20CMS/Download
Versions: 1.0
Tested on: Windows7
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Description : Anantasoft's Gazelle CMS apparantly found it's way to a
magazine: the
January 2009 edition of LinuxFormat. Or rather: it's
editors found their
way to Gazelle CMS. Anantasoft.com
<http://www.anantasoft.com/index.php> has ranked 2nd in the CMS Awards
Popular Awards in the category SEO 2008.
Anantasoft Gaselle CMS 1.0 is vulnerable to stored xss
due to improper
input sanitization.An attacker can inject arbitrary
java script and can
be used for session hijacking.
DEMO:
A)Persistent XSS
http://localhost/gazelle/admin/index.php?Users
DEMO: http://www.opensourcecms.com/demo/2/193/Anantasoft+Gazelle+CMS
In Add User Tab -> Username Field
In Add Usergroup Tab -> User group field
In Modules -> Create Module -> Module name field
In Menu -> Add menu -> Menu Name field
POST DATA= "'-->><script>alert(0)</script>
----------------------------------------------------------------------------
gr33t1ngs and ShOuTZ to r007k17-w and all my friends..